Carmon Posted April 19, 2005 Share Posted April 19, 2005 Hey all i got this Spyware called Aurora on my PC ive tried all the Spyware programs i.eAd-wareM$S&DSpysweeperand before ya all go get Firefox its great blah blah etc lol ive tried it and Aurora still rids it bits lol its **** pop up and also certain words say like *PC* will be highlighted in Green as a Advert link.Ad-ware, M$ and Spysweeper Found it But says It cant remove due to its playing in the Background so i try and close it in Ctrl + Alt + Del . but i close it and loads up aagin but as a different name say example i close ad.exe it starts up wiv ad2.exe etc so i tried doing a scan in Safe-mode and all the ad-ware programs didnt find it ive ran out ideas so any betta idea please tell me cheers Link to comment Share on other sites More sharing options...
firefoxthebomb Posted April 19, 2005 Share Posted April 19, 2005 Well what can I say, spyware is always hard to defeat. When I come across one that I can not rid of I use a program called Winspy to see what process is using and launching that program and kill the exe or dll file that launches it. Link to comment Share on other sites More sharing options...
Carmon Posted April 19, 2005 Author Share Posted April 19, 2005 ^ Cheers for the Tool it told me were it was and deleted it but...3 mins after i deleted it it returned back again :S Link to comment Share on other sites More sharing options...
DigeratiPrime Posted April 19, 2005 Share Posted April 19, 2005 Just to be clear, Firefox is a web browser not a spyware removal program.Make sure you update Ad-Aware and do a deep scan in safe mode.you can also read through this:http://forums.techguy.org/showthread.php?t=353342 Link to comment Share on other sites More sharing options...
Carmon Posted April 20, 2005 Author Share Posted April 20, 2005 i didnt mean the firefox is a anti-spyware remover i ment that ppl say dont use ie get firefox cuz beta etc.but cheers i followed the guide but still no luck Link to comment Share on other sites More sharing options...
Martin Zugec Posted April 20, 2005 Share Posted April 20, 2005 Ok, could you please post your hijackthis log? Link to comment Share on other sites More sharing options...
Martin Zugec Posted April 20, 2005 Share Posted April 20, 2005 Also please run command "wmic process get name" and post the result Link to comment Share on other sites More sharing options...
Carmon Posted April 20, 2005 Author Share Posted April 20, 2005 Logfile of HijackThis v1.99.1Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exeC:\Program Files\Raxco\PerfectDisk\PDSched.exeC:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exeC:\Program Files\Softwin\BitDefender8\vsserv.exeC:\Program Files\Ad Muncher\AdMunch.exec:\windows\system32\hvjtofo.exeC:\Program Files\Softwin\BitDefender8\bdnagent.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\CaRm0n\Desktop\New Folder\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /btO4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exeO4 - HKLM\..\Run: [BDNewsAgent] C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exeO4 - HKLM\..\Run: [waaehqr] c:\windows\system32\hvjtofo.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109956786714O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exeO23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exeO23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exeO23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exethere ya go Link to comment Share on other sites More sharing options...
Martin Zugec Posted April 20, 2005 Share Posted April 20, 2005 Here is your problem: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO4 - HKLM\..\Run: [waaehqr] c:\windows\system32\hvjtofo.exeTry remove that hvjtofo.exe from registry. Give system few minutes and check again - if it restored these registry setting, there is something called respawner spyware. Run RegMon and set monitoring to this key - you will find out, which process is respawning the value. Also use Process Monitor instead of task manager to see, if there is process tree with parental process nail or hvjtofo. Kill the whole process tree.Did it help? Link to comment Share on other sites More sharing options...
Carmon Posted April 20, 2005 Author Share Posted April 20, 2005 well it did for 5mins then it popped back up again so sumthing still bringing it back up but i dunno wat :S Link to comment Share on other sites More sharing options...
DigeratiPrime Posted April 20, 2005 Share Posted April 20, 2005 Check on the 2nd post here.http://forums.techguy.org/showthread.php?t=353323 Link to comment Share on other sites More sharing options...
Carmon Posted April 20, 2005 Author Share Posted April 20, 2005 well read thru that ive used all teh Anti-Adware/spywar stuff gone thru all the guides this got me puzzled to hell lol i dont wanna do the big Format cuz i anit got the time . so any other idea or wanna test a program that might work give a link Link to comment Share on other sites More sharing options...
Aegis Posted April 20, 2005 Share Posted April 20, 2005 Hope this works... If it does not, try to find as many arbitrary seven character files as you can and post it.delspy.rar Link to comment Share on other sites More sharing options...
DigeratiPrime Posted April 21, 2005 Share Posted April 21, 2005 i wonder if you could run a linux live cd with ntfs read/write and just delete the trouble files.Or use something like thishttp://ubcd4win.com/http://www.seanster.com/Super_WinPE/SuperWinPE2.htm Link to comment Share on other sites More sharing options...
DigeratiPrime Posted April 21, 2005 Share Posted April 21, 2005 http://www.bullguard.com/forum/12/Does-any...rora_12733.htmlThe second to last post claims to have succesfully removed the trouble files.The last post mentions using an uninstall program program, NOTE i have seen various people mention this uninstaller but they only have 1 post count. So they may be cons. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now